-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-02:21.tcpip                                      Security Advisory
                                                                FreeBSD, Inc.

Topic:          routing table memory leak

Category:       core
Module:         net
Announced:      2002-04-17
Credits:        Jayanth Vijayaraghavan <jayanth@FreeBSD.org>
                Ruslan Ermilov <ru@FreeBSD.org>
Affects:        FreeBSD 4.5-RELEASE
                FreeBSD 4-STABLE after 2001-12-07 09:23:11 UTC
                    and prior to the correction date
Corrected:      2002-03-22 16:54:19 UTC (RELENG_4)
                2002-04-15 17:12:08 UTC (RELENG_4_5)
FreeBSD only:   YES

I.   Background

The TCP/IP stack's routing table records information about how to
reach various destinations.  The first time a TCP connection is
established with a particular host, a so-called "cloned route" entry
for that host is automatically derived from one of the predefined
routes and added to the table.  Each entry has a reference count that
indicates how many existing connections use that entry; when the
reference count reaches zero, the entry is removed from the table.

II.  Problem Description

A bug was introduced into ip_output() wherein the processing of an
ICMP echo reply message would cause a reference count on a routing
table entry to never be decremented.  Thus, memory allocated for the
routing table entry was never deallocated.

III. Impact

This bug could be exploited to effect a remote denial of service
attack.  An attacker could cause new routing table entries (for
example, by taking advantage of TCP's route cloning behavior) and
then utilize this bug to cause the route entry to never be
deallocated.  In this fashion, the target system's memory can be
exhausted.

IV.  Workaround

Use a packet filter (see ipf(8) or ipfw(8)) to deny ICMP echo
messages.

V.   Solution

1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or
the RELENG_4_5 security branch dated after the respective correction
dates.

2) To patch your present system:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[4.5-RELEASE,
 4-STABLE between 2001-12-28 10:08:33 UTC and 2002-02-20 14:57:41 UTC]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path                                                             Revision
  Branch
- -------------------------------------------------------------------------
sys/netinet/ip_icmp.c
  RELENG_4                                                      1.39.2.16
  RELENG_4_5                                                1.39.2.14.2.1
sys/netinet/ip_mroute.c
  RELENG_4                                                       1.56.2.4
  RELENG_4_5                                                 1.56.2.3.2.1
sys/netinet/ip_output.c
  RELENG_4                                                      1.99.2.29
  RELENG_4_5                                                1.99.2.24.2.1
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPL3IEFUuHi5z0oilAQE56AP/X0tJA/Q0y42JDqxI2A0NRnKyR5YWoH8D
i3izr0MxMTyPnuWg+uZHZhr/ve2AS2mTfNi7do0Ehdw0U2CEMnPKEVLMqt7kMFmL
i+ib4HCijb4RWn3WEC6ueO14SQDCB+X9w/yCVEfeHMWd2PrQWtDoCPmurOuQCz4W
IFu9kJLMhMA=
=qsYz
-----END PGP SIGNATURE-----
